VulnHub

Real-time Cybersecurity News

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 92

Security Affairs
Actively Exploited
MalwareRCERedis

Overview

Recent research has identified thirty-six malicious npm packages related to the Strapi framework that have been linked to Redis remote code execution (RCE), database theft, and persistent command and control (C2) capabilities. In addition, malicious LNK files are being used to distribute a Python-based backdoor. The Kimsuky Group has also been noted for changing their distribution techniques to enhance their attacks. These developments pose serious risks to developers and organizations using these tools, as they could lead to unauthorized access and data breaches. It is crucial for users to be vigilant and ensure they are using secure versions of these packages to avoid falling victim to these threats.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Strapi framework, Redis, npm packages, Python-based backdoor
  • Action Required: Users should review and remove any malicious npm packages, ensure their software is up to date, and follow best practices for securing their environments.
  • Timeline: Newly disclosed

Original Article Summary

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2 Malicious LNK Files Distributing a Python-Based Backdoor and Changes in Distribution Techniques (Kimsuky Group) Hackers Are Attempting to Turn ComfyUI Servers Into a […]

Impact

Strapi framework, Redis, npm packages, Python-based backdoor

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Users should review and remove any malicious npm packages, ensure their software is up to date, and follow best practices for securing their environments.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Malware, RCE, Redis.

Read Original Article

Related Coverage

Hacker Used Claude Code, GPT-4.1 to Exfiltrate Hundreds of Millions of Mexican Records

Hackread – Cybersecurity News, Data Breaches, AI and More

A hacker has reportedly used advanced AI tools, Claude Code and GPT-4.1, to steal personal records of hundreds of millions of Mexican citizens from nine different government agencies. This breach raises serious concerns about data security and the potential misuse of sensitive information. The stolen records likely include personal identifiers, which could lead to identity theft or fraud. The incident highlights vulnerabilities in governmental data protection practices and the growing capabilities of cybercriminals using AI for malicious purposes. Authorities will need to investigate the breach thoroughly and implement stronger security measures to protect citizen data in the future.

Apr 12, 2026

Critical Marimo pre-auth RCE flaw now under active exploitation

BleepingComputer

A serious vulnerability in Marimo software has come to light, allowing attackers to execute remote code without needing authentication. This flaw is currently being exploited to steal user credentials, making it a pressing issue for organizations using this software. The nature of the vulnerability means that it could potentially affect a wide range of users and systems that rely on Marimo. Companies need to act quickly to protect their data and systems from unauthorized access. Immediate action is essential to mitigate the risk posed by this vulnerability as attackers are actively targeting it.

Apr 12, 2026

FBI Atlanta and Indonesian National Police Take Down W3LLSTORE Phishing Marketplace

Hackread – Cybersecurity News, Data Breaches, AI and More

The FBI Atlanta office, in collaboration with the Indonesian National Police, has successfully shut down W3LLSTORE, a phishing marketplace linked to a significant $20 million fraud scheme. Authorities seized multiple domains associated with the site and detained its developer, marking a notable victory in the fight against online fraud. W3LLSTORE facilitated the distribution of phishing kits and other malicious tools, which allowed cybercriminals to target unsuspecting victims. This operation not only disrupts the marketplace but also sends a strong message to those involved in cybercrime. The crackdown is crucial as it helps protect individuals and organizations from falling victim to similar scams in the future.

Apr 12, 2026

Security Affairs newsletter Round 572 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs

Researchers at Censys have identified 5,219 devices that are vulnerable to attacks from Iranian Advanced Persistent Threat (APT) groups, with a significant number located in the United States. This exposure raises concerns about the potential for targeted cyber operations against various sectors, especially given the geopolitical tensions involving Iran. The findings suggest that organizations should assess their security postures and take proactive measures to mitigate risks associated with these vulnerabilities. The presence of such a large number of exposed devices indicates a broader issue of inadequate cybersecurity practices that could lead to severe consequences if exploited. Companies and users need to be vigilant and enhance their defenses against these potential threats.

Apr 12, 2026

Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S.

Security Affairs

Censys researchers have identified 5,219 Rockwell PLCs (Programmable Logic Controllers) that are exposed to potential attacks, with the majority located in the United States. This warning comes after U.S. agencies, including the FBI, CISA, and NSA, reported that Iranian-linked advanced persistent threat groups are actively exploiting these internet-connected devices. The attacks target operational technology across various critical infrastructure sectors, raising concerns about national security. Experts are urging organizations to secure these devices or disconnect them from the internet to prevent potential breaches. The situation underscores the need for better security measures in industrial control systems, especially as cyber threats continue to evolve.

Apr 11, 2026

GlassWorm evolves with Zig dropper to infect multiple developer tools

Security Affairs

The GlassWorm campaign has evolved significantly since its inception in 2025, now utilizing a Zig-based dropper embedded in a fake Integrated Development Environment (IDE) extension. This method targets developer tools, allowing attackers to compromise systems through malicious software packages. Initially starting with harmful npm packages, the campaign has escalated to large-scale supply chain attacks affecting platforms like GitHub, npm, and Visual Studio Code. Additionally, the attackers have deployed Remote Access Trojans (RATs) via counterfeit browser extensions. This evolution raises concerns for developers and organizations, as it highlights the growing sophistication of supply chain threats in the software development ecosystem.

Apr 11, 2026